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Analysis of intercepted IP traffic in a classified 
environment brings along specific challenges. 
Without proper security measures, intercepted 
malicious content may manifest itself in the 
classified analysis network. This concerns 
viruses, worms, adware but also malicious 
code specifically designed by third parties 
(e.g. certain tapped entities) to disrupt 
interception capabilities. 

This document describes several options to 
ensure that potentially insecure and malicious 
content can be analysed in a classified 
environment. 



Prerequisites 

The following prerequisites apply to the several options to handle insecure 
and malicious content described in this document: 

• Data can be active and passive. Passive data is stored and cannot 
perform actions or have actions performed. Active data may - with or 
without user intervention ("clicking”) - lead to execution of instruc- 
tions on a computer. 

• Intercepted traffic in packets is passive. 

• Reconstructed traffic by FoxReplay Analyst may become activated. 

• Word documents, email messages, web pages, Excel spreadsheets, 
chat conversations etc. are all active data. 

• A just viewed and handled graphical representation is not active any 
more. 

• Active data can be transformed, using the right techniques, into pas- 
sive (visual) documents (e.g. in PDF format or screen dumps). 

Protection Controls 

Virus Scanner 

The most elementary security measure that is able to protect against most 
public viruses, worms and other forms of malicious content is the imple- 
mentation of virus scanners. However, application of virus scanners alone 
does not always offer the right level of protection. 

Virus scanners should be applied at the client level and only if required at 
the server level. The former allows for protection against malicious content 
that is “run" on the analysts’ workstations, e.g. local exploits, macro code 
in MS Office documents, etc. The latter could be applied to provide a certain 
level of protection for the analysis server infrastructure, including the 
FoxReplay Analyst servers. The use of different vendors may be advised on 
different layers of the infrastructure. In case a virus is not detected by one 
antivirus product, the other virus protection product may be able to 
detect it. 

Please note that if antivirus software is used, this may have an impact on 
performance on both the client and the server side. Furthermore, some 
content may be blocked resulting in failed or partial reconstruction of 
intercepted internet data. This is especially the case on the server side of 
the infrastructure. 

Remote Desktop 

Using terminal server, Citrix or VMware-like solutions allows for concen- 
tration of active data in a single assigned location. Centrally dedicated 
servers process the active data as reconstructed by Fox ReplayAnalyst. The 
active data is presented to the analysts through a remote desktop connec- 
tion, exchanging only keyboard, video and mouse control data between the 
servers and the client systems. The active data is passed as passive data to 
the client workstations. 

Using remote desktop provides good assurance that any infection by inter- 
cepted malicious code does not affect the client system used by the analyst. 
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Sandboxing 

Virtualisation techniques and sandboxes making the reconstructed data 
available to analysts is a good security measure that assures that if virus 
protection fails, infections do not spread to other systems and are limited 
to the virtual environment. In combination with remote desktop con- 
nections, this ensures the workstations used by the analysts remain free 
from any (malicious) active content and any infected system can easily be 
“refreshed”. 

Please note that these safe environments sometimes can be detected by 
the hostile code and acted upon i.e. defending itself from being analysed, 
destroying the guest operating system prior to allowing the tracing of the 
program, etc. 

Diverse operating systems and applications 
Using different operating systems may limit the impact of malicious code 
in a network environment as it may not be effective on all hosts. In some 
cases this includes the application layer as well. Where a hostile exploit 
usually focuses on one particular (version of an) operating system or ap- 
plication, it leaves systems running other software (versions) unharmed. 
Although it may seem a trivial measure, this may ensure continuous availa- 
bility of the environment in case virus protection software fails. 

Network segmentation and isolation 

To prevent further spreading of malicious code, strict network segmen- 
tation and host isolation is essential. Communications with other systems 
should be limited to the bare essential protocols. Firewalls, data diodes 
and content filtering can be used to enforce this. The virtual sandboxes 
should be isolated from each other and have no means of communicating 
with any other system in the virtual sandbox infrastructure, just with the 
client that started them and the proxy to the FoxReplay Analyst infrastruc- 
ture. 

There are several ways of achieving this. In the network infrastructure, 
isolated or private VLANs could be defined to ensure hosts only are able to 
communicate with the FoxReplay Analyst infrastructure and not with each 
other. This measure relies on adequate configuration of (virtual) network 
switches. Another solution is using a (secure) tunnel from a virtual sand- 
box to the FoxReplay Analyst environment, all communications is routed 
over this tunnel to the proxy server. Unless any hostile code is able to 
change routing tables and/or the default gateway, this denies virtual sand- 
boxes talking to each other and prevents spreading of malicious content. 



Benefits of FoxReplay Analyst 



Defence in depth 

The best level of protection is achieved when the above security measures 
are combined, creating a layered defence against malicious content. A buf- 
fer zone or DMZ for performing the actual analysis in between the FoxRe- 
play Analyst infrastructure and the classified network provides assurance 
hostile code is isolated and cannot spread any further. Antivirus software 
is installed on both the analyst’s workstation and the virtual sandbox 
environments. From the physical workstation in the classified network, 
an analyst "remotely” starts and connects to an isolated virtual sandbox 
environment (DMZ) for analysis. This can be achieved by a physical KVM 
connection or approved remote desktop software. 

Limited functions are available to create for example PDF reports and 
export them outside the virtual sandbox environment into the classified 
network. Normal data diode and content filtering constructions for impor- 
ting data into a classified network should be used. 

Sample Deployment 

Below is a sample deployment that includes the levels of workstation 
protection discussed above. The workstations only send keyboard and 
mouse commands to the virtual sandbox infrastructure and receive only 
video updates back through e.g. a remote desktop protocol. By default, like 
any other system in the network, the workstations have virus protection 
software installed. The analyst uses a virtual sandbox to start Mozilla 
Fi refox and connect to the proxy server of the FoxReplay Analyst Infra- 
structure. Each virtual sandbox as well as the virtual sandbox infrastruc- 
ture also runs virus protection and is isolated from the other sandboxes 
through private VLANs and/or dedicated tunnels to the FoxReplay Analyst 
environment. Antivirus software in the FoxReplay Analyst infrastructure 
environment is optional and could be considered. 



• Real-time & Streaming 

• Perfect reconstruction 

• Communication in chronological order 

• Full-text search 

• Swift support for changed internet protocols / applications 

• Support for custom internet protocols /applications 

• As easy as using the internet 

• See exactly what the ta rget saw 

• Simultaneous ‘side-by-side’ communications 

• Supports all natural languages 

• Client-side software 
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In case a virus manifests itself in a virtual sandbox, first the virus pro- 
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tection software should trigger and eliminate the threat. If this fails, the 
second layer of protection is that the virus is isolated to the specific virtual 
sandbox and cannot spread to other sandboxes or most importantly, the 



classified network. 
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Fox-IT 

Fox-IT is a leading IT security company with a strong internati- 
onal reputation. From our headquarters in the Netherlands and 
our offices in Aruba and the UK, we deliver specialist security 
and intelligence solutions for government bodies and other 
major organizations worldwide. Our core business is developing 
solutions for the protection of state secrets, conducting digital 
forensics, audits, managed security services, consultancy and 
training courses. 
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Fox-IT 

Olof Palmestraat 6 P .0 Box 638 

2616 LM Delft 2600 AP Delft 
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